SAAS SECURITY ATTACHMENT - PactSafe

[Pages:5]SAAS SECURITY ATTACHMENT

Introduction: Hyland maintains and manages a comprehensive written security program that covers the Hyland Cloud Service designed to protect: (a) the security and integrity of Customer Data; (b) against threats and hazards that may negatively impact Customer Data; and (c) against unauthorized access to Customer Data, which such program includes the following:

1. Risk Management. 1. Conducting an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards used to protect the Hyland Cloud Service.

2. Maintaining a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes, and provide for periodic monitoring of progress.

2. Information Security Program. 1. Maintaining a documented comprehensive Hyland Cloud Service information security program. This program will include policies and procedures based on industry standard practices, which may include ISO 27001/27002, or other equivalent standards.

2. Such information security program shall include, as applicable: (i) adequate physical and cyber security where Customer Data will be processed and/or stored; and (ii) reasonable precautions taken with respect to Hyland personnel employment.

3. These policies will be reviewed and updated by Hyland management annually.

3. Organization of Information Security. Assigning security responsibilities to appropriate Hyland individuals or groups to facilitate protection of the Hyland Cloud Service and associated assets.

4. Human Resources Security. 1. Hyland employees undergo comprehensive screening during the hiring process. Background checks and reference validation will be performed to determine whether candidate qualifications are appropriate for the proposed position. Subject to any restrictions imposed by applicable law and based on jurisdiction, these background checks include criminal background checks, employment validation, and education verification as applicable.

2. Ensuring all Hyland employees are subject to confidentiality and non-disclosure commitments before access is provisioned to the Hyland Cloud Service or Customer Data.

3. Ensuring applicable Hyland employees receive security awareness training designed to provide such employees with information security knowledge to provide for the security, availability, and confidentiality of Customer Data.

4. Upon Hyland employee separation or change in roles, Hyland shall ensure any Hyland employee access to the Hyland Cloud Service is revoked in a timely manner and all applicable Hyland assets, both information and physical, are returned.

5. Asset Management. 1. Maintaining asset and information management policies and procedures. This includes ownership of assets, an inventory of assets, classification guidelines, and handling standards pertaining to Hyland assets.

2. Maintaining media handling procedures to ensure media containing Customer Data as part of the Hyland Cloud Service is encrypted and stored in a secure location subject to strict physical access controls.

3. When a Hyland Cloud Service storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent Customer Data from being exposed to unauthorized individuals using the techniques recommended by NIST to destroy data as part of the decommissioning process.

4. If a Hyland storage device is unable to be decommissioned using these procedures, the device will be virtually shredded, degaussed, purged/wiped, or physically destroyed in accordance with industry-standard practices.

6. Access Controls. 1. Maintaining a logical access policy and corresponding procedures. The logical access procedures will define the request, approval and access provisioning process for Hyland personnel. The logical access process will restrict Hyland user (local and remote) access based on Hyland user job function (role/profile based, appropriate access) for applications and databases. Hyland user access recertification to determine access and privileges will be performed periodically. Procedures for onboarding and offboarding Hyland personnel users in a timely manner will be documented. Procedures for Hyland personnel user inactivity threshold leading to account suspension and removal threshold will be documented.

2. Limiting Hyland's access to Customer Data to its personnel who have a need to access Customer Data as a condition to Hyland's performance of the services under this Agreement. Hyland shall utilize the principle of "least privilege" and the concept of "minimum necessary" when determining the level of access for all Hyland users to Customer Data. Hyland shall require strong passwords subject to complexity requirements and periodic rotation and the use of multi-factor authentication.

3. Ensuring strict access controls are in place for Customer Data access by Hyland. Customer administrators control its user access, user permissions, and Customer Data retention to the extent such controls are available to Customer with respect to the Hyland Cloud Service.

7. System Boundaries. 1. Hyland is not responsible for any system components that are not within the Hyland Cloud Platform, including network devices, network connectivity, workstations, servers, and software owned and operated by the Customer or other third parties. Hyland may provide support for these components at its reasonable discretion.

2. The processes executed within the Hyland Cloud Platform are limited to those that are executed by a Hyland employee (or Hyland authorized third party) or processes that are executed within Hyland's established system boundaries, in whole. This includes, but is not limited to, hardware installation, software installation, data replication, data security, and authentication processes.

3. Certain business processes may cross these boundaries, meaning one or more tasks are executed outside of Hyland's established system boundaries for the Hyland Cloud Platform, one or more tasks are executed by individuals who are not Hyland personnel (or authorized third-parties), or one or more tasks are executed based on written requests placed by Customer. In such event, Hyland will provide support for such processes to the extent they occur within Hyland's established system boundaries, but Hyland is not responsible for providing support for such processes to the extent they occur outside of such established system boundaries. At its reasonable discretion, Hyland may provide limited support for processes that occur outside such established system boundaries for the Hyland Cloud Platform. Examples of business processes that cross these boundaries include, but are not limited to, Hyland Cloud Service configuration changes, processing that occurs within the Hyland Cloud Service, user authorization, and file transfers.

8. Encryption. 1. Customer Data shall only be uploaded to the Hyland Cloud Services in an encrypted format such as via SFTP, TLS/SSL, or other equivalent method.

2. Customer Data shall be encrypted at rest.

3. Where use of encryption functionality may be controlled or modified by Customer, in the event Customer elects to modify the use of or turn off any encryption functionality, Customer does so at its own risk.

9. Physical and Environment Security.

1. The Hyland Cloud Platform uses data centers or third party service providers who have demonstrated compliance with one or more of the following standards (or a reasonable equivalent): International Organization for Standardization ("ISO") 27001 and/or American Institute of Certified Public Accountants ("AICPA") Service Organization Controls ("SOC") Reports for Services Organizations. These providers provide Internet connectivity, physical security, power, and environmental systems and other services for the Hyland Cloud Platform.

2. Hyland uses architecture and technologies designed to promote both security and high availability.

10. Operations Security. 1. Maintaining documented Hyland cloud operating procedures.

2. Maintaining change management controls to ensure changes to Hyland Cloud Service production systems made by Hyland are properly authorized and reviewed prior to implementation. Customer is responsible for testing all configuration changes, authentication changes and upgrades implemented by Customer or implemented by Hyland at the request of Customer prior to production use of the Hyland Cloud Service. In cases where the Customer relies upon Hyland to implement changes on its behalf, a written request describing the change must be submitted (e.g. an e-mail, or another method provided by Hyland) by Customer's designated Customer Security Administrators ("CSAs") or set forth in a Services Proposal. Hyland will make scheduled configuration changes that are expected to impact Customer access to their Hyland Cloud Service during a planned maintenance window. Hyland may make configuration changes that are not expected to impact Customer during normal business hours.

3. Monitoring usage and capacity levels within the Hyland Cloud Platform to adequately and proactively plan for future growth.

4. Utilizing virus and malware protection technologies, which are configured to meet common industry standards designed to protect the Customer Data and equipment located within the Hyland Cloud Platform from virus infections or similar malicious payloads.

5. Implementing disaster recovery and business continuity procedures. These will include replication of Customer Data to a secondary location.

6. Maintaining a system and security logging process to capture system logs deemed critical by Hyland. These logs shall be maintained for at least six months and reviewed on a periodic basis.

7. Maintaining system hardening requirements and configuration standards for components deployed within the Hyland Cloud Platform. Ensuring servers, operating systems, and supporting software used in the Hyland Cloud Platform receive all Critical and High security patches within a timely manner, but in no event more than 90 days after release, subject to the next sentence. In the event any such security patch would materially adversely affect the Hyland Cloud Service, then Hyland will use reasonable efforts to implement compensating controls until a security patch is available that would not materially adversely affect the Hyland Cloud Service.

8. Conducting Hyland Cloud Platform vulnerability scans or analysis on at least a quarterly basis and remediate all critical and high vulnerabilities identified in accordance with its patch management procedures.

9. Conducting Hyland Cloud Platform penetration tests at least annually.

11. Communications Security 1. Implementing Hyland Cloud Platform security controls to protect information resources within the Hyland Cloud Platform.

2. When supported, upon implementation and once annually thereafter, Customer may request Hyland limit access to Customer's Hyland Cloud Service to a list of pre-defined IP addresses at

no additional cost.

12. Supplier Relationships. Maintaining a Vendor Management Program for its critical vendors. This program will ensure critical vendors are evaluated on an annual basis.

13. Security Incident. 1. Employing incident response standards that are based upon applicable industry standards, such as ISO 27001:2013 and National Institute for Standards and Technology ("NIST"), to maintain the information security components of the Hyland Cloud Service environment.

2. Responses to these incidents follow the Hyland documented incident response sequence. This sequence includes the incident trigger phase, evaluation phase, escalation phase, response phase, recovery phase, de-escalation phase, and post-incident review phase.

3. If Hyland has determined Customer's Hyland Cloud Service has been negatively impacted by a security incident, Hyland will deliver a root cause analysis summary. Such notice will not be unreasonably delayed, but will occur after initial corrective actions have been taken to contain the security threat or stabilize the Hyland Cloud Service.

4. The root cause analysis will include the duration of the event, resolution, technical summary, outstanding issues, and follow-up, including steps Customer needs to take in order to prevent further issues. Hyland Cloud Service information including data elements that require additional confidentiality and security measures (including that of other customers impacted in the event) will not be publicly disclosed. If Customer needs additional details of an incident, a request to the Hyland GCS Support team must be submitted and handled on a case by case basis. The release of information process may require an on-site review to protect the confidentiality and security of the requested information.

5. Hyland will notify Customer of a Security Incident within 48 hours. A "Security Incident" means a determination by Hyland of an actual disclosure of unencrypted Customer Data to an unauthorized person or entity that compromises the security, confidentiality, or integrity of the Customer Data.

14. Information Security Aspects of Business Continuity Management. 1. Maintaining a business continuity and disaster recovery plan.

2. Reviewing and testing this plan annually.

15. Aggregated Data. 1. Hyland owns all Customer and User registration and billing data collected and used by Hyland that is required for user set-up, use and billing for the Hyland Cloud Service ("Account Information") and all aggregated, anonymized and statistical data derived from the use and operation of the Hyland Cloud Service, including without limitation, the number of records in the Hyland Cloud Service, the number and types of transactions, configurations, and reports processed as part of the Hyland Cloud Service and the performance results of the Hyland Cloud Service (the "Aggregated Data").

2. Hyland may utilize the Account Information and Aggregated Data for purposes of operating Hyland's business. For clarity, Account Information and Aggregated Data does not include Customer Data.

16. Audit and Security Testing. 1. Monitoring its compliance with its information security program. This includes periodic internal reviews. Results are shared with Hyland leadership and deviations tracked through to remediation.

2. Maintaining a periodic external audit program. Completed attestations, such as available SOC 2 reports, are provided to Customer upon written request.

3. Customer may conduct audits of Hyland's operations that participate in the ongoing delivery and support of the Hyland Cloud Service purchased by Customer on an annual basis; provided Customer provides Hyland written notice of its desire to conduct such audit and the following

criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such audit, which may include the completion of questionnaires supplied by Customer and guided review of policies, practices, procedures, Hyland Cloud Service configurations, invoices, or application logs, and (b) Customer agrees to pay Hyland fees (at Hyland's standard rates) for the Professional Services that are required or requested of Hyland in connection with such audit. Prior to any such audit, any third party engaged by Customer to assist with such audit, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. If any documentation requested by Customer cannot be removed from Hyland's facilities as a result of physical limitations or policy restrictions, Hyland will allow Customer's auditors access to such documentation at Hyland's corporate headquarters in Ohio and may prohibit any type of copying or the taking of screen shots. Where necessary, Hyland will provide private and reasonable accommodation at Hyland's corporate headquarters in Ohio for data analysis and meetings. Upon reasonable notice, Hyland and Customer mutually agree to make necessary employees or contractors available for interviews in person or on the phone during such audit at Customer's cost and expense. Customer is prohibited from distributing or publishing the results of such audit to any third party without Hyland's prior written approval.

4. Customer may conduct penetration testing against the public URL used to access the Hyland Cloud Service on an annual basis; provided Customer provides Hyland with written notice of its desire to conduct such testing and the following criteria are met: (a) Hyland and Customer mutually agree upon the timing, scope, and criteria of such testing, which may include common social engineering, application, and network testing techniques used to identify or exploit common vulnerabilities including buffer overflows, cross site scripting, SQL injection, and man in the middle attacks, and (b) such testing is at Customer's cost and expense and Customer pays to Hyland fees (at Hyland's standard rates) for the Professional Services that are required or requested of Hyland in connection with such testing. Prior to any such testing, any third party engaged by Customer to assist with such testing, must be cleared by Hyland and enter into a Non-Disclosure Agreement directly with Hyland. Customer acknowledges and agrees that any such testing performed without mutual agreement regarding timing, scope, and criteria may be considered a hostile attack, which may trigger automated and manual responses, including reporting the activity to local and federal law enforcement agencies as well as immediate suspension of Customer's access to or use of the Hyland Cloud Service. Customer is prohibited from distributing or publishing the results of such penetration testing to any third party without Hyland's prior written approval.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download